Calls for law change after Indians left in dark over data leaks

Fears Indian telecom upstart Reliance Jio suffered a major data breach, compromising the personal data of over 100 million customers, have prompted calls for India to adopt more robust laws to protect consumers.

Jio has repeatedly denied any breach took place and said that names, telephone numbers and email addresses of Jio users on a website called "Magicapk" appeared to be "unauthentic." The website was later shut down.

The company, part of conglomerate Reliance Industries Ltd, said on Monday that its subscriber data was safe and protected by the highest levels of security.

However, Jio filed a complaint the same day alleging unlawful access to its systems, police have told Reuters.

Jio did not respond to requests for comment.

In contrast to companies in the European Union, which has stringent data protection standards, companies in India do not have to disclose data breaches to clients, information security professionals said.

"It raises questions of security and accountability," said Pranesh Prakash, policy director at the Centre for Internet and Society (CIS), a research organization.

People complained on Twitter about personal information of Jio users being available on the Magicapk site. Several local news outlets said their checks had led them to believe a leak had occurred.

"A rule to report breaches exists, but it is unenforceable," says Prakash. "It says you're not liable if you're following reasonable security practices. What 'reasonable' means is not defined."

Advocates of stronger laws in India say a data breach in countries with more stringent cyber laws, such as Britain or the United States, would prompt an inquiry by regulators.

After reports of a data leak at Verizon earlier this week, for example, the U.S. telecoms firm quickly responded with an explanation of what had occurred, how it had happened and the extent of the problem.

"India is at a nascent stage. For good norms in Asia, look to Singapore. It's been praised for not having cyber security issues by the UN," Srinivas Kodali, an independent security researcher, said.

Not a Priority

"We don't have full-menu data protection laws," said Apar Gupta, a Supreme Court lawyer working on data privacy issues. "We don't even have an institutional framework or expert body to implement the limited data protection regulations that do exist. It's so limited it's more accurate to say no law exists."

In May alone, there were two data security incidents in India.

The records of 17 million customers of Zomato, a popular food-delivery app, were put on sale online. Zomato initially advised customers that their passwords were secure, but later advised users to change them.

Separately, a CIS report said the Aadhaar numbers of as many as 135 million Indians had leaked from government databases and could be found online. (bit.ly/2tOseSV)

The number, similar to a U.S. social security number, is unique to each Indian citizen and the Aadhaar database also stores a user's biometric data. The government is pushing for Aadhaar numbers to be used in everything from opening bank accounts to filing tax returns.

For India, data privacy is not a priority, said Amry Junaideen, a risk advisor at audit firm Deloitte.

"From an organizational perspective there's really no incentive other than being a good corporate citizen, to report a breach," he said, noting that in the European Union and United States the regulatory framework is basically for the good of the consumer, but that this is not the case in India.

India, home to the back offices of many large multinationals and outsourcing companies, has also unsuccessfully sought "data-secure" status from the European Union since 2012.

The status is vital for information sharing between entities in the EU and India, because it means the EU is satisfied that data protection rules in a country meet its standards, so data of EU citizens can be sent to that jurisdiction.

In 2010, a European Union study of data protection in India noted there were "no aspects of India's data protection which would unequivocally be regarded as 'adequate' by European Union standards as yet".

Support Us

You may donate online via Instamojo. Or, write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru, 560071.

Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil[at]cis-india[dot]org or Sumandro Chattapadhyay, Research Director, at sumandro[at]cis-india[dot]org, with an indication of the form and the content of the collaboration you might be interested in.

In general, we offer financial support for collaborative/invited works only through public calls.

About Us

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and practices around internet, technology and society in India, and elsewhere.